Encryption bridge system and method of operation thereof

ABSTRACT

A self-authenticating encryption bridge, and method of operation thereof, including: a user input module for remaining locked until a user has been authenticated; an encryption/decryption control module responsive to the user input module for encrypting or decrypting data when the user has been authenticated; a first communication channel for transferring encrypted data from a mass storage device to the encryption/decryption control module; and a second communication channel for transferring clear data to a computer from the encryption/decryption control module.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application is a Continuation of U.S. patent application Ser. No.12/684,108 filed Jan. 7, 2010, which claims the benefit of U.S.Provisional Patent Application Ser. No. 61/143,155 filed Jan. 7, 2009,and the subject matter thereof is incorporated herein by referencethereto.

The present application contains subject matter related to co-pendingU.S. patent application Ser. No. 12/652,035 filed Jan. 4, 2010. Therelated application is assigned to ClevX, LLC and the subject matterthereof is incorporated herein by reference thereto.

TECHNICAL FIELD

The present invention relates generally to mass storage devices, andmore specifically to an apparatus and method of controlling encryptionbetween a host computer system and a mass storage device.

BACKGROUND ART

A critical issue with almost all aspects of computer system and mobileelectronic device use, including portable memory storage, is security.This also applies to electronic products containing memory storage as anintegral part of the design. For example, digital cameras, MP3 players,smart phones, palm computers, gaming devices, etc., that may haveconfidential information residing in memory. Whether it is an emailaccount, financial information or corporate data, a user must beauthenticated in order to gain access to this information.

Encryption is typically the means to hide sensitive information. It is acomplex process that hides data so that it cannot be interpreted until acorrect decryption key is used to decode the data. A computer isgenerally used to access data in internal as well as external massstorage devices. Data is encrypted prior to storing and decrypted uponretrieval.

Encryption, provided by a computer, consumes system resources whetherthe encryption is applied to internal or external storage devices. Thus,the computer requires higher performance hardware to reduce systemburden. A better solution is to put the burden of encryption on the massstorage device to free up computer resources. It then becomes a simplematter of connecting the mass storage device to the computer with nocomplex formatting and partitioning required on the computer end.

There are few self-encrypting mass storage devices on the market. If auser already has a mass storage device, the user must either purchase anew self-encrypting drive or purchase encryption software for the user'scomputer. Self-encrypting drives are typically more expensive than theirnon-encrypting counterparts.

An encryption bridge may be used to connect a computer with an externalmass storage device reduces the burden on computer resources and is morecost effective than purchasing multiple self-encrypting drives butallows access to secured data just by having possession of theencryption bridge.

Solutions to these problems have been long sought but prior developmentshave not taught or suggested any solutions and, thus, solutions to theseproblems have long eluded those skilled in the art.

DISCLOSURE OF THE INVENTION

The present invention provides a method of operation of aself-authenticating encryption bridge including: locking a user inputmodule until a user has been authenticated; encrypting or decryptingdata in an encryption/decryption control module when the user has beenauthenticated in the user input module; transferring encrypted data froma mass storage device to the encryption/decryption control module in afirst communication channel; and transferring clear data to a computerfrom the encryption/decryption control module in a second communicationchannel.

The present invention further provides a self-authenticating encryptionbridge including: a user input module for remaining locked until a userhas been authenticated; an encryption/decryption control moduleresponsive to the user input module for encrypting or decrypting datawhen the user has been authenticated; a first communication channel fortransferring encrypted data from a mass storage device to theencryption/decryption control module; and a second communication channelfor transferring clear data to a computer from the encryption/decryptioncontrol module.

Certain embodiments of the invention have other aspects in addition toor in place of those mentioned above. The aspects will become apparentto those skilled in the art from a reading of the following detaileddescription when taken with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of the components of an encryption bridgesystem in accordance with an embodiment of the present invention.

FIG. 2 is a block diagram of a self-authenticating encryption bridge inaccordance with a further embodiment of the present invention.

FIG. 3 shows a flow chart of a method for validating a user andtransferring data in accordance with a still further embodiment of thepresent invention.

FIG. 4 shows a block diagram of a self-authenticating encryption bridgewith multiple encryption keys in accordance with an additionalembodiment of the present invention.

FIG. 5 is a block diagram of a mass storage device with an integratedself-authenticating encryption bridge in accordance with a furtheradditional embodiment of the present invention.

FIG. 6 is a flow chart of a method of operation of an encryption bridgesystem in a further embodiment of the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

The following embodiments are described in sufficient detail to enablethose skilled in the art to make and use the invention. It is to beunderstood that other embodiments would be evident based on the presentdisclosure, and that process or mechanical changes may be made withoutdeparting from the scope of the present invention.

In the following description, numerous specific details are given toprovide a thorough understanding of the invention. However, it will beapparent that the invention may be practiced without these specificdetails. In order to avoid obscuring the present invention, somewell-known circuits, system configurations, and process steps are notdisclosed in detail.

Likewise, the drawings showing embodiments of the apparatus/device aresemi-diagrammatic and not to scale and, particularly, some of thedimensions are for clarity of presentation and are shown greatlyexaggerated in the drawing FIGS.

Similarly, the drawings generally show similar orientations ofembodiments for ease of description, but this is arbitrary for the mostpart. Generally, the various embodiments can be operated in anyorientation.

Referring now to FIG. 1, therein is shown a block diagram of thecomponents of an encryption bridge system 100 in accordance with anembodiment of the present invention. The encryption bridge system 100 iscomposed of a self-authenticating encryption bridge 102 connected to ahost computer system 104 on an unencrypted or a clear data communicationchannel 106 and to a storage system such as a mass storage device 108 onan encrypted data channel 110.

The host computer system 104 sends unencrypted data to theself-authenticating encryption bridge 102. The data is intended to bestored on the mass storage device 108. The self-authenticatingencryption bridge 102 encrypts the data and forwards it on to the massstorage device 108.

Likewise, the mass storage device 108 sends data to theself-authenticating encryption bridge 102 intended to be received by thehost computer system 104. The self-authenticating encryption bridge 102decrypts the data and forwards it on to the host computer system 104.

The self-authenticating encryption bridge 102 remains locked until anauthorized user has been authenticated. The users must interact with theself-authenticating encryption bridge 102 in order to validatethemselves as authorized users and enable the encryption/decryptionprocess.

If the self-authenticating encryption bridge 102 is unable toauthenticate the user, encrypted data is sent directly to the hostcomputer system 104 where it will be useless because the host computersystem 104 will not be able to decipher the encrypted data from the massstorage device 108.

Referring now to FIG. 2, therein is shown a block diagram of aself-authenticating encryption bridge 200 in accordance with a furtherembodiment of the present invention. The self-authenticating encryptionbridge 200 is a bridge than can be used to identify one or more usersand is composed of two modules: an encryption/decryption control module202 (shortened to encryption control module in the FIGS.) and a userinput module 204.

Within the encryption/decryption control module 202 is an authenticationparameter module 206 for releasing an encryption key in an encryptionkey module 208.

The user must identify himself or herself by entering authenticationinformation using the user input module 204. The authenticationinformation can be a PIN (Personal Identification Number), radiofrequency, light, biosignature, or other signal entered wirelessly or bywire to the user input module 204. Then, the encryption/decryptioncontrol module 202 verifies a user's identity against authenticationparameters in the authentication parameter module 206. The verificationprocess involves the authentication parameter module 206 providing asignal with authentication parameters to the user input module 204 forcomparison by the user input module 204.

If the user is authenticated when the signals for the authenticationinformation and the authentication parameters match, the user inputmodule 204 unlocks and causes the release of the encryption key in theencryption key module 208 to the encryption/decryption control module202. The encryption/decryption control module 202 then encrypts datamoving wirelessly or by wire from the host computer system 104 of FIG. 1through the clear data communication channel 106 to the mass storagedevice 108 of FIG. 1 through the encrypted data channel 110 and decryptsdata wirelessly or by wire moving in the reverse direction. Theencryption/decryption control module 202 also uses the encryption key inthe encryption key module 208 to decrypt data moving from the massstorage device 108 to the host computer system 104.

The user input module 204 supplies the authentication interface betweenthe user and the encryption/decryption control module 202. For example,the user input module 204 may consist of a series of buttons, that whenpushed in certain order by a user, allow the encryption/decryptioncontrol module 202 to authenticate the user. In one embodiment, theseries of numerical buttons allows a user to enter a personalidentification number (PIN), which can then be compared against a PIN,which is one of the numbers stored in the authentication parametermodule 206.

The user input module 204 is used herein as a general term thatencompasses any number of human input mechanisms that can interact withthe user. Examples of these mechanisms are:

Buttons—for entering a series of numbers like an ATM machine

Thumb-wheel—for entering a series of numbers like a combination lock

Fingerprint reader—for receiving and analyzing a user's fingerprint (orother biometric based input devices)

RF module—for receiving an authentication signal from a key fob.

The above is exemplary and not intended to be limiting.

Referring now to FIG. 3, therein is shown a flow chart 300 of a methodfor validating a user and transferring data in accordance with a stillfurther embodiment of the present invention. The data flows between themass storage device 108 and the host computer system 104 of FIG. 1.

The method starts when the user input module accepts input from a userin a block 302. From the above list of mechanisms, this can be acombination, PIN, fingerprint, etc. The encryption/decryption controlmodule then verifies data sent from the user input module and comparesthis with an authentication parameter in the authentication parametermodule in a block 304.

A check is then made to determine if the authentication parametermatches those supplied by the user in a decision block 306. If YES, theencryption/decryption control module enables the encryption/decryptionprocess and the mass storage device becomes accessible by the hostcomputer system in a block 308. If NO, the self-authenticatingencryption bridge remains locked and the method returns to user inputmodule accepts input in the block 302.

The self-authenticating encryption bridge waits for data sent eitherfrom the host computer system or the mass storage device in a block 310.Once the self-authenticating encryption bridge receives data, a decisionis made if the data was sent from the host computer system in a decisionblock 312.

If data is received from the host computer system, theself-authenticating encryption bridge encrypts the data in a block 318and sends the encrypted data on to the mass storage device in a block320. If data is received from the mass storage device, theself-authenticating encryption bridge decrypts the data in a block 322and sends it on to the host computer system in a block 324.

From the block 320 or 324, the method returns to the self-authenticatingencryption bridge waits for data in the block 310.

Referring now to FIG. 4, therein is shown a block diagram of aself-authenticating encryption bridge 400 with multiple encryption keysin accordance with an additional embodiment of the present invention.

In the self-authenticating encryption bridge 400, a user may enter afirst code, PIN A, in a user input module 402 for anencryption/decryption control module 404. The PIN A is associated withan authentication parameter A module 406. After a user is authenticated,the self-authenticating encryption bridge 400 is unlocked and anencryption key A module 408 allows access to an encryption key Aavailable for the encryption/decryption process. An encryption key Bmodule 410 remains inaccessible.

Likewise, a user may enter the PIN B to unlock the self-authenticatingencryption bridge 400. The PIN B is associated with an authenticationparameter B module 412. After the user is authenticated, theself-authenticating encryption bridge 400 is unlocked and the encryptionkey B module 410 allows access to an encryption key B to be used for theencryption/decryption process. The encryption key A module 408 remainsinaccessible.

In this manner, a single self-authenticating encryption bridge maysupport multiple encryption keys for multiple users and multiple massstorage devices.

Another embodiment includes an encryption/decryption control modulecontaining a single encryption key associated with multipleauthentication parameter modules. In this embodiment, multiple userswith different codes may access the same mass storage device.

Referring now to FIG. 5, therein is shown a block diagram of a massstorage device 500 with an integrated self-authenticating encryptionbridge 502 in accordance with a further additional embodiment of thepresent invention.

The integrated self-authenticating encryption bridge 502 is housedwithin the same package as the mass storage device 500. An encrypteddata channel 504 is internal to the mass storage device 500 and connectsinternally with a storage media 506. A clear data channel 508 connectsthe integrated self-authenticating encryption bridge 502 to the hostcomputer system 104.

A user input module 510 is integral with the package of the mass storagedevice 500. Since the integrated self-authenticating encryption bridge502 is embedded within the mass storage device 500, the user inputmodule 510 is placed so codes may be entered from outside the massstorage device 500. Thus, all possible modes of user input, as discussedin FIG. 2, are made available for the mass storage device 500.

Referring now to FIG. 6, therein is shown a flow chart of a method 600of operation of an encryption bridge system 100 in a further embodimentof the present invention. The method 600 includes: authenticating a userusing a self-authenticating encryption bridge in a block 602; andcontrolling encryption using the self-authenticating encryption bridgedisposed between a computer system and a storage system in response tothe authenticating of the user in a block 604.

Various embodiments of the present invention include the followingaspects:

An encryption bridge system including:

providing a computer connected by way of a communication channel to theself-authenticating encryption bridge;a mass storage device connected by way of a communication channel to theself-authenticating encryption bridge; anda self-authenticating encryption bridge that encrypts data sent from thecomputer to the mass storage device and decrypts data sent from the massstorage device to the computer after a user has been authenticated.

A self-authenticating encryption bridge including:

a user input module for verifying user identity;an encryption/decryption control module;a communication channel for transferring clear data to the computer; anda communication channel for transferring encrypted data to the massstorage device.

A self-authenticating encryption bridge as described above furtherincluding:

authentication parameters for authenticating a user; andencryption key(s) used for encrypting/decrypting data.

A self-authenticating encryption bridge as described above furtherincluding:

a user input module capable of accepting keyed or manipulable input.

A self-authenticating encryption bridge as described above furtherincluding:

a user input module capable of accepting biometric input.

A self-authenticating encryption bridge as described above furtherincluding:

a user input module capable of accepting RF transmission input.

A self-authenticating encryption bridge as described above furtherincluding:

an encryption/decryption control module that prevents data on the massstorage device from being accessed until the user has been validated byanalyzing parameters sent from the user input module.

A self-authenticating encryption bridge as described above furtherincluding:

an encryption/decryption control module containing multiple pairs ofdecryption keys and authentication parameters.

A self-authenticating encryption bridge as described above furtherincluding:

an encryption/decryption control module containing a single encryptionkey associated with multiple authentication parameters.

A self-authenticating encryption bridge as described above furtherincluding:

a self-authenticating encription bridge embodied in and integral to themass storage device.

A self-authenticating encryption bridge as described above furtherincluding:

a self-authenticating encription bridge embodied in and integral to thecommunication channel (e.g. cable and/or connectors and/or casing).

A self-authenticating encryption bridge as described above furtherincluding:

a self-authenticating encription bridge embodied in and integral to theoutput connector on the computer.

A self-authenticating encryption bridge as described above furtherincluding:

an encrypted channel and a clear channel composed of termination pointscapable of plugging directly into a mass storage device and computerwithout the use of additional cables.

A self-authenticating encryption bridge as described above furtherincluding:

wireless communication used for either or both the encrypted and clearcommunication channels.

A self-authenticating encryption bridge as described above furtherincluding:

a power source that may be derived from the communication channel or aninternal source.

While the invention has been described in conjunction with a specificbest mode, it is to be understood that many alternatives, modifications,and variations will be apparent to those skilled in the art in light ofthe aforegoing description. Accordingly, it is intended to embrace allsuch alternatives, modifications, and variations that fall within thescope of the included claims. All matters set forth herein or shown inthe accompanying drawings are to be interpreted in an illustrative andnon-limiting sense.

What is claimed is:
 1. A method of operation of a self-authenticatingencryption bridge comprising: locking a user input module until a userhas been authenticated; encrypting or decrypting data in anencryption/decryption control module when the user has beenauthenticated in the user input module; transferring encrypted data froma mass storage device to the encryption/decryption control module in afirst communication channel; and transferring clear data to a computerfrom the encryption/decryption control module in a second communicationchannel.
 2. The method as claimed in claim 1 further comprising: notencrypting or decrypting data in the encryption/decryption controlmodule when the user is unable to be authenticated in the user inputmodule.
 3. The method as claimed in claim 1 further comprising:containing an authentication parameter for authenticating the userinside of the self-authenticating encryption bridge; and containing anencryption key for encrypting and decrypting clear data in theencryption/decryption control module.
 4. The method as claimed in claim1 further comprising: containing a plurality of authenticationparameters for authenticating a plurality of users inside of theself-authenticating encryption bridge; and containing an encryption keyfor encrypting and decrypting clear data in the encryption/decryptioncontrol module.
 5. The method as claimed in claim 1 further comprising:containing an authentication parameter for authenticating the userinside of the self-authenticating encryption bridge; and containing aplurality of encryption keys for providing a plurality of ways ofencrypting and decrypting clear data in the encryption/decryptioncontrol module.
 6. A method comprising: locking a user input moduleuntil a user has been authenticated; unlocking the user input modulewhen the user has been authenticated; allowing a mass storage device tobecome accessible to a computer when the user has been authenticated inthe user input module and the user input module has been unlocked;transferring encrypted data wirelessly or by wire to and from a massstorage device to and from the encryption/decryption control module in afirst communication channel; encrypting or decrypting data in theencryption/decryption control module when the user has beenauthenticated in the user input module and the user input module hasbeen unlocked; decrypting encrypted data to the computer from the massstorage device in the encryption/decryption control module when and theuser input module has been unlocked and the mass storage device isaccessible to the computer; transferring clear data wirelessly or bywire to and from a computer to and from the encryption/decryptioncontrol module in a second communication channel; and encrypting cleardata from the computer to the mass storage device in theencryption/decryption control module when and the user input module hasbeen unlocked and the mass storage device is accessible to the computer.7. The method as claimed in claim 6 further comprising: not encryptingor decrypting data in the encryption/decryption control module when theuser is unable to be wirelessly or by wire authenticated in the userinput module and the user input module is locked.
 8. The method asclaimed in claim 6 further comprising: powering the user input modulefrom the second communication channel; and powering theencryption/decryption control module from the second communicationchannel.
 9. The method as claimed in claim 6 further comprising:powering the user input module and the encryption/decryption controlmodule from a power source in the self-authenticating encryption bridge.10. The method as claimed in claim 6 further comprising: containing aplurality of authentication parameters for authenticating a plurality ofusers in the self-authenticating encryption bridge; and containing anencryption key for encrypting and decrypting clear data in theencryption/decryption control module.
 11. A self-authenticatingencryption bridge comprising: a user input module for remaining lockeduntil a user has been authenticated; an encryption/decryption controlmodule responsive to the user input module for encrypting or decryptingdata when the user has been authenticated; a first communication channelfor transferring encrypted data from a mass storage device to theencryption/decryption control module; and a second communication channelfor transferring clear data to a computer from the encryption/decryptioncontrol module.
 12. The self-authenticating encryption bridge as claimedin claim 11 wherein: the encryption/decryption control module isresponsive to the user input module for not encrypting or decryptingdata when the user is unable to be authenticated.
 13. Theself-authenticating encryption bridge as claimed in claim 11 wherein:the self-authenticating encryption bridge contains an authenticationparameter for authenticating the user; and the encryption/decryptioncontrol module contains an encryption key for encrypting and decryptingclear data.
 14. The self-authenticating encryption bridge as claimed inclaim 11 wherein: the self-authenticating encryption bridge contains aplurality of authentication parameters for authenticating a plurality ofusers; and the encryption/decryption control module contains anencryption key for encrypting and decrypting clear data.
 15. Theself-authenticating encryption bridge as claimed in claim 11 wherein:the self-authenticating encryption bridge contains an authenticationparameter for authenticating the user; and the encryption/decryptioncontrol module contains a plurality of encryption keys for providing aplurality of ways of encrypting and decrypting clear data.
 16. Theself-authenticating encryption bridge as claimed in claim 11 wherein:the encryption/decryption control module is responsive to the user inputmodule for allowing the mass storage device to become accessible to thecomputer when the user has been authenticated; the encryption/decryptioncontrol module is for encrypting clear data from the computer to themass storage device when the mass storage device is accessible to thecomputer wirelessly or by wire over a first channel; and theencryption/decryption control module is for encrypting or decryptingdata to the computer from the mass storage device when the mass storagedevice is accessible to the computer wirelessly or by wire over a secondchannel.
 17. The self-authenticating encryption bridge as claimed inclaim 16 wherein: the encryption/decryption control module is responsiveto the user input module for not encrypting or decrypting data when theuser is unable to be wirelessly or by wire authenticated.
 18. Theself-authenticating encryption bridge as claimed in claim 16 wherein:the user input module is powered from the second communication channel;and the encryption/decryption control module is powered from the secondcommunication channel.
 19. The self-authenticating encryption bridge asclaimed in claim 16 further comprising: a power source in theself-authenticating encryption bridge for powering the user input moduleand the encryption/decryption control module.
 20. Theself-authenticating encryption bridge as claimed in claim 16 wherein:the self-authenticating encryption bridge contains a plurality ofauthentication parameters for authenticating a plurality of users; andthe encryption/decryption control module contains an encryption key forencrypting and decrypting clear data.